W3C home > Mailing lists > Public > www-talk@w3.org > November to December 1996

Re: HTTP header suggestion/request (fwd)

From: MegaZone <megazone@livingston.com>
Date: Fri, 8 Nov 1996 07:15:31 -0800 (PST)
Message-Id: <199611081515.HAA02368@server.livingston.com>
To: www-talk@w3.org
Once upon a time Benjamin Franz shaped the electrons to say...
>They are in a fool's paradise if they think that hiding it behind a script
>can force people to see the license. I could mention the MAJOR adult web
>site that has placed their authentication on one server and their files
>and search engine on a *different* server - and trusted to the fact they
>used a POST method form to shield the search engine from direct
>unauthorized access. They were wrong. 

The source files are not accessable to the HTTPD.  Sure they could hack
the server  - but then any system is vulnerable to that.  You have to
trust the firewall, etc on that.  The only way to get the files send to
you is this one CGI, and the only way to call that CGI is the form.
If you try calling it with any form that doesn't supply the required
info then it refuses to send the files.  It also logs several HTTP
environment variables to backup the server logs and provide links.
You'd need to forge domain name and IP address in addition to giving all
bogus info on the form.  Sure it can be done, but not easily.

That adult site system sounds weak.  No surprise it doesn't work.

>If you want to make sure people read your license - put the files behind
>an .htaccess wall and make them ONLY accessible with a login password that
>is changed daily and given on the license page. And make the login realm

They are *only* accessable via the one CGI, which is only accessable
via this form (which is generated by the CGI on the first call).  Yes, 
someone else could make another form that supplies all the valid input to
get it to send the source, but that would be a deliberate circumvention
and they must have knowledge of the form to copy it, so they saw the
license, QED.

>a confirmation message for the license. Still won't stand up in a court
>though. Nothing not using cryptographic certs will (and not even those in 
>all states).

Well, the lawyers disagree with you on that.  Before we were allowed to
do this they insisted on researching it, and they feel that it is 
defensible and that it will hold up.  Don't ask me, I'm not a lawyer.

>Not as many people as *very experimental* extensions to HTTP. Well over

So, they just have to change the save as name.  No big deal.  It is
convenience.

>90% of browsers tdoay support cookies. There are other approaches as well

Well, I've been watching the user agents dl'ing the source.  less than 90%
by far are NOT browsers that support cookies.  Quite a number of Lynx and
Mosaic hits.

-MZ
--
Livingston Enterprises - Chair, Department of Interstitial Affairs
Phone: 800-458-9966 510-426-0770 FAX: 510-426-8951 megazone@livingston.com
For support requests: support@livingston.com  <http://www.livingston.com/> 
Snail mail: 6920 Koll Center Parkway  #220, Pleasanton, CA 94566
Received on Friday, 8 November 1996 10:15:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:20 GMT